On 20 February 2025, the Australian Privacy Commissioner accepted an enforceable undertaking from Oxfam Australia following a significant data breach that occurred in January 2021.

Background to the privacy breach

In January 2021, an unknown user gained unauthorised access to an Oxfam Australia database, compromising the personal information of up to 1.7 million Oxfam Australia records.

On 10 September 2021, the Privacy Commissioner commenced an investigation into whether Oxfam Australia’s acts and practices complied with the Privacy Act 1988 (Cth). The Privacy Commissioner’s investigation identified concerns of potential non-compliance with Australian Privacy Principle (Australian Privacy Principle) 11 – security of personal information. The Privacy Commissioner’s specific concerns were:

1. the use of live supporter data in the User Acceptance Testing database and the of shared credentials by those with access to that database – which is relevant to APP 11.1; and

2. the period of time that Oxfam Australia retained the personal information of its supporters in its databases – which is relevant to APP 11.2.

Oxfam Australia acknowledged the concerns of the Privacy Commissioner, offering an Enforceable Undertaking to address the concerns. 

The Enforceable Undertaking

As part of the Enforceable Undertaking, Oxfam Australia committed to several measures to enhance its privacy practices including:

• Not storing certain personal information for longer than seven years.

• Avoiding the use of shared credentials wherever possible.

• Implementing robust password security controls.

• Providing staff, contractors and volunteers with updated guidance, procedures, and training.

• Conducting privacy threshold assessments, and where necessary, privacy impact assessments, for any project that involves the handling of personal information for testing purposes, addressing the quantity and kinds of personal information needed for testing and the practicability of potentially less-privacy intrusive options.

Information Commissioner has published guidance for not-for-profits

The Office of the Australian Information Commissioner has incorporated learnings from the Oxfam Australia incident into its updated privacy guidance for not-for-profits, emphasising the importance of good privacy practices.

We recommend that not-for-profits familiarise themselves with this guidance and build the recommendations into their personal information handling practices.

A few key takeaways for not-for-profits

1. Collect only what you need: ensure that your organisation only collects personal information that is necessary for its operations. Avoid collecting excessive or irrelevant data.

2. Secure storage: store personal information securely and implement appropriate measures to protect it from unauthorised access, modification, or disclosure.

3. Retention and destruction: regularly review the personal information you hold and destroy or de-identify data that is no longer required. This helps minimise the risk of data breaches and ensures compliance with retention obligations.

4. Data Breach Response Plan: develop, maintain and regularly test a data breach response plan. Being prepared will enable your organisation to respond quickly and effectively in the event of a data breach.

5. Third-party arrangements: when engaging third-party service providers, ensure that their privacy practices align with your organisation's standards. Conduct periodic reviews and ensure that personal information is deleted at the end of the contract term.

By following these guidelines, not-for-profits can help build trust with their supporters, maintain stronger relationships with the community, and reduce the risk of harm resulting from data breaches.

Do you need any help managing your privacy compliance?

Geoff Adams, Legal Director and James Pratt, Special Counsel, have over 25 years’ combined experience conducting privacy impact assessments and advising not-for-profit, private sector and Australian Government clients on their privacy obligations.

If your organisation has any privacy questions, or would like assistance reviewing its privacy compliance, please contact us.

James Pratt, Special Counsel +61 423 368 823  | james.pratt@adaptbl.com.au

Geoff Adams, Director +61 404 608 231 | geoff.adams@adaptbl.com.au